Cyber Incident Victim: The University of Michigan

On Sunday, August 27, 2023, at approximately 1:45 p.m., the University of Michigan experienced a significant technology issue that resulted in a complete and intentional disconnection of its network from the internet. This action severed internet connectivity and WiFi access across all three of its campuses in Ann Arbor, Dearborn, and Flint. The decision to cut off online services was not made lightly, particularly given its timing on the eve of the new academic year. The university's Information Assurance team, in partnership with leading cybersecurity service providers, is tasked with continuously detecting, deflecting, and mitigating a steady stream of malicious activity. After a careful evaluation of a significant security concern that afternoon, the intentional decision was made to sever ties to the internet to provide the information technology teams the space required to address the issue in the safest possible manner. This drastic measure was taken to mitigate the technical issues presented by the security incident.

The immediate impact was a widespread outage rendering all U-M online services inaccessible. Critical systems and platforms, including Google products, Canvas, Wolverine Access, university email, Adobe Creative Suite, Zoom, Dropbox, Slack, and Duo, became unavailable to anyone on campus or relying on the university's network. Additionally, internal systems such as M-Pathways, eResearch, and DART were also taken offline. The university leadership, including President Santa J. Ono and Vice President for Information Technology and Chief Information Officer Ravi Pendse, recognized the immense stress and major inconvenience this caused the campus community and issued a sincere apology for the disruption. Despite the challenges, the university confirmed that all clinical applications at Michigan Medicine remained functional and that no patient care was disrupted, indicating a segmented or protected network environment for critical healthcare operations.

Throughout the evening of August 27th and into the early hours of August 28th, IT teams worked continuously to restore access. Progress was incremental, with updates provided every few hours via the university's main website and its @umichtech Twitter account. By late Sunday evening, the public course schedule website was restored, allowing Ann Arbor students to check class schedules and locations in preparation for the first day of classes, though general internet access remained offline. The university emphasized that classes would still meet on all three campuses, and faculty were instructed to communicate directly with students regarding any necessary adjustments. Consideration was also announced for students impacted in their class attendance or completion of assignments that depended on U-M systems, with a waiver of late registration or disenrollment fees through the month of August.

By Monday, August 28th, the IT and cybersecurity teams had made significant strides. A major milestone was achieved when access to cloud-based services was restored for users connecting from off-campus locations or cellular networks. This meant that students, faculty, and staff could authenticate into their U-M accounts and use services like Google, Canvas, Zoom, and Wolverine Access if they were not on university WiFi or wired internet. This restoration alleviated some pressure, though the primary campus internet and WiFi connections remained down. The cellular networks around campus were noted to be under much greater stress than normal due to increased reliance. The investigative aspect of the incident was also formally acknowledged, with the confirmation that the U-M Division of Public Safety and Security and federal law enforcement partners had been informed and were involved in the investigation. The university stated it would not share any information that might compromise this ongoing investigation.

The outage necessitated numerous operational adjustments across the university. Employees were advised to consult with their direct supervisors about additional flexibility with remote work until the internet outage was resolved. Specific guidance was issued for various administrative functions. Annual merit processing was largely unaffected as most data had been loaded before the disruption, with pay changes not taking effect until September 1st. Benefits enrollment deadlines were extended for eligible faculty, staff, and students unable to complete elections due to the outage. Payroll for August was processed normally and paid on August 31st, as the timekeeping data had been entered and approved prior to the outage. Procurement systems like M-Marketsite and MPathways eProcurement remained inaccessible, prompting alternative purchasing procedures using PCards with potential temporary credit limit increases. Parking gates were lifted to ensure access for employees with proper permits.

The restoration of full internet and WiFi connectivity on all campuses was finally achieved on the morning of Wednesday, August 30th. An announcement from President Ono and Vice President Pendse confirmed that individuals should be able to connect as normal from any device. However, the announcement cautioned that some issues with select U-M systems and services were expected in the short term, and not all remediation efforts were complete. These residual issues were projected to be resolved over the next several days. The university directed the community to its ITS status page for announcements about any continuing service interruptions and to contact the Service Center for technical assistance. The message reiterated that the investigative work into the security issue continued, and the stance of not sharing compromising details remained. The leadership expressed profound gratitude for the patience of the community and extended a special thank you to the Information and Technology Services team for working tirelessly to address the challenge and maintain the safety of the enterprise systems.

The incident unfolded over a critical three-day period, directly impacting the start of the academic year. The university's response was characterized by a deliberate and cautious approach, prioritizing the security of its systems over immediate convenience. The decision to completely disconnect from the internet was a definitive containment action taken in response to a specific and significant security concern. The restoration process was methodical, focusing first on core cloud services accessible from outside the network before finally bringing the entire internal network back online. Throughout the event, communication was maintained through frequent updates on the university's official website and social media channels. The involvement of federal law enforcement underscores the serious nature of the original security concern that prompted the drastic mitigation measure. The full technical details and the exact nature of the security incident remain undisclosed to protect the integrity of the ongoing investigation.